Lawmakers Reach Landmark Agreement on Bipartisan, Bicameral Comprehensive Privacy Legislation

April 10, 2024

Reading Time : 9 min

Key Points

  • On Sunday, April 7, Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce (E&C) Committee Chair Cathy McMorris Rodgers (R-WA) struck a deal on a comprehensive federal bill, the American Privacy Rights Act (APRA), marking the first such proposal to gain bipartisan, bicameral support with the backing of Chair Cantwell.
  • The introduction of the APRA marks significant progress in negotiations, building off of progress made last Congress with the introduction of the American Data and Privacy Protection Act (ADPPA; H.R. 8152). Specifically, the latest discussion draft reflects agreement by the two committee chairs on two key issues: (1) the timeline for a private right of action for enforcement, which was previously opposed by some Republicans, and (2) preemption of existing state privacy laws, which faced opposition from some Democrats, particularly those from California.
  • While the draft proposes terminating the Federal Trade Commission (FTC)’s 2022 Advance Notice of Proposed Rulemaking (ANPRM) on commercial surveillance and data security, the FTC is expected to proceed on the rulemaking and the Biden Administration is expected to continue exploring executive action absent additional Congressional momentum on privacy.
  • Chair Cantwell and Chair McMorris Rodgers are expected to quickly move to formally introduce the bill, and the House E&C Innovation Subcommittee has noticed a legislative hearing on April 17 to consider the draft, along with several other privacy and children’s online safety measures. While Chair McMorris Rodgers will be retiring this Congress and has outlined her continued focus on advancing bipartisan privacy legislation, it’s unclear whether the measure will gain traction this Congress, particularly given the upcoming 2024 elections and expected opposition from Senate Commerce Committee Ranking Member Ted Cruz (R-TX).

Introduction

On Sunday, April 7, Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce (E&C) Committee Chair Cathy McMorris Rodgers (R-WA) released a discussion draft of a comprehensive national data privacy and security bill—dubbed the American Privacy Rights Act (APRA)—marking the first bipartisan, bicameral privacy proposal to gain the support of Chair Cantwell.

The bill is the product of years of negotiation, beginning in the 116th Congress in 2019 with the formal introduction of competing proposals in the Senate by Chair Cantwell and then-Commerce Committee Ranking Member Roger Wicker (R-MS), and followed by the release of a bipartisan discussion draft in the House by the E&C Committee. Notably, this draft did not contain legislative language on controversial provisions such as preemption of state laws and a private right of action for enforcement, instead leaving the areas in brackets for stakeholder input. Bipartisan discussions tapered off with little progress, culminating in-house Republicans unveiling their own draft in 2021—the Control Our Data Act.

The 117th Congress subsequently featured the introduction of the American Data and Privacy Protection Act (ADPPA; H.R. 8152)—the first proposal to gain bipartisan, bicameral support after years of disagreement on the correct approach to preemption, private right of action and arbitration. While the ADPPA marked significant progress made in negotiations, it notably lacked the support of Chair Cantwell as a result of her preference for prohibiting the use of mandatory pre-dispute arbitration agreements by covered entities, in addition to her objection to the four-year delay in effect of the private right of action. Chair Cantwell’s opposition ultimately prevented the legislation from moving forward in the legislative process, even after the bill cleared the House E&C Committee.

Because Chair Cantwell did not support last Congress’ bipartisan proposal and had previously begun circulating a revised version of her privacy bill first unveiled in 2019—the Consumer Online Privacy Rights Act (S. 3195)— her collaboration with Chair McMorris Rodgers on the new agreement this Congress is particularly noteworthy. E&C Ranking Member Frank Pallone (D-NJ) has also issued a positive statement on the framework, while noting there are key areas he thinks the bill could be strengthened, particularly with respect to children’s privacy.

However, Senate Commerce Ranking Member Ted Cruz (R-TX) has signaled opposition to the bill’s private right of action and delegation of enforcement authority to the Federal Trade Commission (FTC), voicing concern about the resulting impact on competition, internet speech and diversity, equity and inclusion (DEI) compliance.

Key Provisions

As previously noted, the American Privacy Rights Act (APRA) strikes a compromise with regard to the longstanding sticking points of federal preemption and a private right of action, in addition to the issue of pre-dispute arbitration.

While the bill would generally preempt state privacy laws, the language does provide for some exceptions via an enumerated list of state laws, including consumer protection laws, civil rights laws, provisions of laws that address the privacy of employees or students and provisions of laws that address data breach notification. The draft provides that California residents may recover statutory damages consistent with the California Privacy Rights Act for an action related to a data breach, as well as those consistent with Illinois’s Biometric Information Privacy Act and Genetic Information Privacy Act for an action involving a violation of the affirmative express consent provisions for biometric and genetic information where the conduct occurred substantially and primarily in Illinois.

Similar to the ADPPA, the discussion draft’s preemption language would also carve out state trespass, contract or tort law, although the new draft differs from the ADPPA in that it does not carve out laws addressing facial recognition technologies. While the bill recognizes compliance with other federal statutes such as the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) for purposes of the Act’s privacy and data security requirements, other provisions such as executive certification would still be applicable.

The legislation would allow for enforcement by the Federal Trade Commission (FTC) and state attorneys general, also providing for a private right of action. Last Congress’ ADPPA allowed individuals to, four years after the date of enactment, generally bring a civil action in federal court seeking compensatory damages, injunctive relief, declaratory relief and reasonable attorney’s fees and litigation costs. However, under the new draft, this provision would kick in 180 days after the date of enactment. The discussion draft also shortens the ADPPA’s 45-day cure period to 30 days.

Like the ADPPA, the discussion draft prohibits covered entities from enforcing mandatory pre-dispute arbitration agreements or joint action waivers with respect to minors. The new draft also allows claims alleging a violation that resulted in a substantial privacy harm within the scope of the prohibition and removes language precluding pre-dispute joint action waivers for arbitration or administrative proceedings regardless of age. The bill would cover any entity that collects, processes or transfers covered data and is subject to the jurisdiction of the FTC, including nonprofits and telecommunications common carriers.

“Covered data” is defined as information identifying, linked or reasonably linkable to an individual or device linkable to an individual, carving out de-identified data, employee data or publicly available information. The latest discussion draft also carves out information in a library, archive or museum collection subject to specific limitations. “Sensitive covered data” is defined to include the following:

  • Government-issued identifiers not required to be displayed in public such as social security and passport numbers; past, present and future health, diagnosis, disability or treatment information; financial account, debit card and credit card numbers along with any access code, password or credentials.
  • Biometric information.
  • Genetic information.
  • Precise geolocation information.
  • Private communications such as voicemail, email, text or information identifying parties to communications.
  • Any account or device log-in credentials.
  • Information revealing race, ethnicity, national origin, religion, union membership status, sexual orientation or sexual behavior that violates an individual’s reasonable expectations on disclosure.
  • Information revealing online activities over time and across third-party online services.
  • Calendar, address book, phone, text, photos, audio and video recordings maintained for private use on a device.
  • Photos or videos of naked or undergarment-clad private areas.
  • Information revealing individuals' access to or viewing of TV, cable or streaming media services.
  • Rather than solely relying on a “notice and consent” regime, and in an aim to avoiding placing the burden for privacy on the consumer, the bill utilizes “duty of loyalty” provisions, barring covered entities from collecting, processing or transferring covered data beyond what is reasonably necessary, proportionate and limited to provide specific products and services.

The measure establishes several user rights, including rights to access, correction, deletion and portability, as well as the right to opt out of targeted advertising and data transfers. Further, the bill would prohibit the transfer of sensitive covered data to third parties without the consumer’s affirmative express consent.

Just as the ADPPA, while the discussion draft imposes additional requirements and responsibilities on “large data holders” similar to those in the ADPPA, the new draft includes a more prescriptive definition. Such data holders are defined to include covered entities with gross revenues above $250 million that collected, processed, retained or transferred (1) covered data of over five million individuals or devices, 15 million portable or connected devices reasonably linkable to an individual, and 35 million connected devices reasonably linkable to an individual; or (2) the sensitive covered data of 200,000 individuals or devices, 300,000 portable or connected devices reasonably linkable to an individual and 700,000 connected devices reasonably linkable to an individual in the most recent calendar year. These entities must provide short-form notices of their covered data practices (such requirements will be established in FTC guidance now due within 180 days of enactment), in addition to assessing their algorithms annually and submitting annual algorithmic impact assessments to the FTC. Such entities would also be subject to additional corporate accountability requirements, including annually certifying that they maintain reasonable internal controls and reporting structures for compliance with the Act.

With regard to data security, the legislation requires covered entities to implement and maintain data security practices and procedures that protect and secure covered data against unauthorized use and acquisition. In determining whether such protections are reasonable, factors such as the entity’s size, complexity and activities related to covered data would be taken into consideration.

Like the ADPPA, the discussion draft provides a carve-out for certain small and medium-sized covered entities, under an adjusted threshold. Under the new draft, the term “small business” encompasses an entity that, for the prior three years, (1) earned gross annual revenues of $40 million or less (adjusted from $41 million in the initial ADPPA), (2) did not collect or process the covered data of 200,000 individuals in a year, except for processing payments, and (3) did not derive any revenue from transferring covered data (adjusted from allowing such businesses to derive less than half their revenue from transferring covered data in the initial ADPPA). These entities would be exempt from the Act’s data portability requirements and most of the data security requirements. They may also choose to delete, rather than correct, an individual’s covered data upon receiving such a verified request.

The legislation would treat violations of the Act as violations of a rule defining an unfair or deceptive act or practice under the FTC Act, allowing the agency to obtain civil penalties for initial and subsequent violations. Within one year of enactment, the bill directs the FTC to establish a new bureau to carry out its authority under the Act that is comparable to the current Bureaus of Consumer Protection and Competition.

The discussion draft notably removes provisions establishing data protections for children and minors, including the requirement that the FTC create a Youth Privacy and Marketing Division, which, under the ADPPA, was directed to submit annual reports to Congress and hire staff that includes children’s privacy experts.

The draft retains the ADPPA’s language requiring large data holders to, under certain circumstances, conduct impact assessments of “covered algorithms”—defined to encompass computational processes that use machine learning, natural language processing, artificial intelligence (AI) techniques or other similar computational processing techniques, making a decision with respect to covered data.

Outlook

Chair Cantwell and Chair McMorris Rodgers are expected to quickly move to formally introduce the bill, and the House E&C Innovation Subcommittee has noticed a legislative hearing on April 17 to consider the draft, along with several other privacy and children’s online safety measures. While Chair McMorris Rodgers will be retiring this Congress and has outlined her continued focus on advancing bipartisan privacy legislation, it’s unclear whether the measure will gain traction this Congress, particularly given the forthcoming 2024 elections.

Of note, the draft would expressly terminate the FTC’s 2022 Advance Notice of Proposed Rulemaking (ANPRM) on commercial surveillance and data security. However, the agency has expressed interest in proceeding on the rulemaking in the absence of Congressional action on privacy. Thus, should the legislation fail to advance this Congress, we would still expect developments on the rulemaking from the Commission, as well as the exploration of further executive action by the Biden Administration.

Share This Insight

Related Services, Sectors, and Regions

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.